Description
As part of this discussion:
a valid comment was raised:
One thing we are also doing is extending Duende.AccessTokenManagement for token exchange, using TokenExchangeTokenRequest in Duende.IdentityModel. It's not supported at all in Duende.AccessTokenManagement, because you can't update the token request parameter grant type with urn:ietf:params:oauth:grant-type:token-exchange as it already has client_credentials, so we had to go a bit deeper. Although we still just return ClientCredentialsToken model as that's ingrained in Duende.AccessTokenManagement.
We also extend the AccessTokenHandler, and now we can not use the base class in 4.0 anymore. We extend it to automatically detect the current tenant or user in the request scope, or pass values via HttpRequestMessage.Options Property and alter the GetAccessTokenAsync call with either additional tenant or user token request parameters.
Initially, the plans were that ATM 4.0 would announce that the extensibility model would change, but not yet introduce the new model, but after reconsideration, we decided that we're going to introduce the new extensibility model now.